Cybersecurity degrees

Jan 22, 2022 Tags: #security #getting-into-infosec

I see many conversations around cybersecurity education, requirements to find work and gatekeeping. While I’ve got a lot to say about it, getting into them would me mildly unproductive, especially in environments crafted for argument, not finding new meanings and consensus. But this conversation got me on it again: https://twitter.com/kylieengineer/status/1482485311158779905

This particular example is “learning to fit into current security needs” vs “learning XX fundamentals” (CS, infra, risk, whatever).

What I feel sad about is that we’re having typical “necessity and sufficiency” discussions without naming them so, but I’ll try to use the language these discussions are happening in. So:

Taking a few steps back, these heuristics look like this. You shouldn’t be entitled for any risk-related/security-related decisions unless:

  1. breadth and depth of your knowledge allows you to look deep into root causes and wide into effects.
  2. you bear (at least partial) consequences of your decisions.

But all this grumbling is irrelevant and here’s why.

We’re so terribly understaffed that whoever is useful at any level - will ahave a job.

Making someone learn (by earning cybersecurity degree) and believe that “exposing system processes to user input is bad” without understanding how certain classes of vulnerabilities exist, how processes and OS manages memory, is still OK. It is good enough to hope that we’ll have more hands on the front-line doing the right thing now.

The best will deepen their knowledge in relevant places and eventually will become well-rounded throu experience and self-learning. Some will only seek marketable skills, that next training and certification, over and over again and sell combination of “experience” + “latest update in my knowledge set”. Some will remain stubbornly attached to outdated ideas they’re taught.

Aiming for a “degree in cybersecurity” is as good as “degree in CS”, “degree in cryptography and traditional information security”, “degree in technical security and investigations within LE educational grameworks”. Education should be an entry point, rather than destination, in this complex environment. Each person has their unique preferences on what is the most exciting entry point: when you’re 18, it matters emotionally, when you’re switching from other profession thru secondary ed later in life, it matters mentally. Security is not easy, so maximising your velocity through actually liking what you learn and extending your skillset from there works. Nobody comes out of university really employable anyway.

Discussions about “what degrees/certifications” are good - are irrelevant. They come from poor hiring practices of companies who have no idea how to hire good security people, due to lack of good security people inside. Making life choices based on limited-quality demand reasons is last thing you want to do while entering hard, frustrating and fun world infosec is.

So, perhaps, we should be discussing “how to augment gaps in knowledge for people coming from different backgrounds and bring them to level where they’re compatible background-wise and skill-wise”, rather than worry about what entry points should exist or be prioritised.

We’re too short of smart people on the frontline to dismiss any chance of getting more of them in. Even if most end up being mediocre - mediocre is good enough for many tasks at hand.